Compliance

Get the assurance you need to know that our cloud offerings meet the latest compliance and security standards. We regularly check compliance through external reviews and audits and follow one common framework, including data security and privacy regulations, worldwide.

Key compliance considerations

Hear from our security experts how SAP deals with compliance in the cloud using compliance standards and certifications we have as part of our overall offerings and security program.

ISO/BS Certificates

SAP has developed and implemented an integrated framework based on several international standards. This approach provides a consistent, secure service that meets customer and applicable regulatory requirements. We address client satisfaction and continuous, as well as secure operation of our services, through the effective application of the framework, which includes continuous improvement and the prevents nonconformity. All cloud units certified against ISO/BS standards are annually audited by our certification body.

ISO/IEC 9001 Quality Management System

This standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, as well as the process approach and continuous improvement.

ISO/IEC 27001 Security Management System

ISO/IEC 27001 is possibly the best-known standard in the ISO family. It provides holistic, risked-based approach to security and a comprehensive and measurable set of information security management practices.

ISO/IEC 22301 Business Continuity Management System

ISO 22301 is the international standard for business continuity management. It’s designed to protect business operations from potential disruption. This includes extreme weather, fire, flood, natural disaster, theft, IT outage, staff illness, and terror attacks.

BS 10012 Personal Information Management System

This standard covers areas such as employee security awareness training, risk assessments, data retention, and disposal. It establishes policies and procedures and enables the effective management of personal information on individuals.

ISO/IEC 20000 Service Management

This standard covers a system management approach to service management and provides measurable quality guidance for the best-practice framework IT Infrastructure Library (ITIL). It also includes elements from other frameworks such as Control Objectives for Information and Related Technologies (COBIT).

Service Organization Control Reports

SAP offers Service Organization Control (SOC) reports to provide assurance and detailed insight into the design and operating effectiveness of internal control systems implemented within cloud delivery units. SOC reports are industry independent and well-known. Cloud solutions from SAP are audited by our external auditor at least once a year.

SOC 1 Reports

The auditor of our customer’s financial statements receives information about controls for cloud solutions from SAP that may be relevant to a customer’s internal control over financial reporting. The SOC 1 report follows the SSAE 16 and ISAE 3402 standards on auditing engagements and includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.

SOC 2 Reports

Customers and prospects are given insights into the control system relevant to security, availability, processing integrity, confidentiality, or privacy of the data. The SOC 2 report follows the ISAE 3000 and AT 101 auditing standards and is based on AICPA’s trust service principles. The report includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.

SOC 3 Reports

Interested parties get a report on the control system implemented within cloud solutions from SAP that are relevant to security, availability, processing integrity, confidentiality, or privacy. The SOC 3 report is a short-form record that provides no description of controls testing and results. It also summarizes the results of respective SOC 2 audits.

Other Certifications and Attestations

Payment Card Industry Data Security Standard (PCI DSS)

This global data security standard, also known as PCI DSS, is adopted by the payment card brands for all entities that process, store, or transmit cardholder data. It comprises common sense steps that mirror security best practices.

Good Practice Quality Guidelines and Regulations (GxP)

GxP is an acronym referring to the regulation and guidelines applicable to life sciences organizations that make food and medical products. These requirements ensure that food and medical products are safe for consumers.

Cloud Computing Compliance Controls Catalogue (C5)

The C5, compliance catalogue, has proven itself, due to its neutrality, scope, compactness and testability, as an attestation for a stable foundation for internal auditing and for information security management in regulated industries.